https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226347#M176229 <P>Although your props.conf has SHOULD_LINEMERGE as false, I am not sure why the screenshot you provided has mutiple events merged together. If every event in your log does not have end line character then you should also consider using BREAK_ONLY_BEFORE or BREAK_ONLY_AFTER parameters for props.conf.</P> <P>Nevertheless, Splunk has several inbuilt algorithms with precedence in order to identify timestamp of each event. If every algorithm fails, it resorts to File Modified time. In your screenshot I can see that even filename is having same date as that logged inside the file. So if you edit Timestamp identification of props.conf, you might be able to tell Splunk to always get date from the file modified date and time from the event timestamp. In your case you may achieve this by setting <STRONG>MAX_TIMESTAMP_LOOKAHEAD=8</STRONG> which overlooks the event Date: 16-06-2016 00:00:33 to extract datetime of the event.</P> <P>[custom_type]<BR /> <STRONG>SHOULD_LINEMERGE=false</STRONG><BR /> NO_BINARY_CHECK=true<BR /> CHARSET=AUTO<BR /> <STRONG>MAX_TIMESTAMP_LOOKAHEAD=8</STRONG><BR /> disabled=false<BR /> invalid_cause=binary<BR /> is_valid=false</P> <P>PS: If possible you should consider as to how to get the logs written with Date-Time stamp for each event rather than just time, as Time of event is the most crucial information for proper indexing of data. </P> <P>Above method might fail when date rolls over from one to other around midnight.</P> Tue, 29 Sep 2020 11:48:21 GMT niketn 2020-09-29T11:48:21Z https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226345#M176227 <P>So I have some logs that are in the following format: </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2135i40E2D193D81A45A1/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span><BR /> Filename: 16061601rw.dat</P> <P>Each line has a time stamp, but it doesn't include the date. I've checked a ton of answers about getting date from the filename but i cant get it to work properly. When it is being ingested into splunk it looks like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2136i2C0474B54EF00E76/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>It is probably worth mentioning that where it starts stamping them as 15/06/2016, it has defaulted back to the last logs date.</P> <P>Here is my attempted edit of the datetime.xml:</P> <PRE><CODE>&lt;text&gt;&lt;![CDATA[source::.*?((\d{2})(\d{2})(\d{2}))*.dat]]&gt;&lt;/text&gt; </CODE></PRE> <P>and I have a custom data type in props.conf that I am trying to use to get it to correctly date the entries:</P> <PRE><CODE>[custom_type] DATETIME_CONFIG = /Applications/Splunk/etc/datetime.xml SHOULD_LINEMERGE = FALSE </CODE></PRE> <P>Can anyone help with this? I think it is most likely an issue with the regex but I'm not sure</P> Fri, 11 Nov 2016 07:10:36 GMT https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226345#M176227 adrianduff 2016-11-11T07:10:36Z https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226346#M176228 <P>FIrst, I would never do this by editing datetime.xml if there were any other way. But that is not your current problem.</P> <P>Here is the problem: your props.conf is not being used. <BR /> I can tell because props.conf specifies that the input is one line per event, but that is not at all what Splunk is doing.<BR /> Where is the inputs.conf that collects this data? What kind of forwarder are you using? Where is this props.conf located? Does the sourcetype that you assigned in inputs.conf match the sourcetype you specified in props.conf?</P> Sun, 13 Nov 2016 14:33:25 GMT https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226346#M176228 lguinn2 2016-11-13T14:33:25Z https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226347#M176229 <P>Although your props.conf has SHOULD_LINEMERGE as false, I am not sure why the screenshot you provided has mutiple events merged together. If every event in your log does not have end line character then you should also consider using BREAK_ONLY_BEFORE or BREAK_ONLY_AFTER parameters for props.conf.</P> <P>Nevertheless, Splunk has several inbuilt algorithms with precedence in order to identify timestamp of each event. If every algorithm fails, it resorts to File Modified time. In your screenshot I can see that even filename is having same date as that logged inside the file. So if you edit Timestamp identification of props.conf, you might be able to tell Splunk to always get date from the file modified date and time from the event timestamp. In your case you may achieve this by setting <STRONG>MAX_TIMESTAMP_LOOKAHEAD=8</STRONG> which overlooks the event Date: 16-06-2016 00:00:33 to extract datetime of the event.</P> <P>[custom_type]<BR /> <STRONG>SHOULD_LINEMERGE=false</STRONG><BR /> NO_BINARY_CHECK=true<BR /> CHARSET=AUTO<BR /> <STRONG>MAX_TIMESTAMP_LOOKAHEAD=8</STRONG><BR /> disabled=false<BR /> invalid_cause=binary<BR /> is_valid=false</P> <P>PS: If possible you should consider as to how to get the logs written with Date-Time stamp for each event rather than just time, as Time of event is the most crucial information for proper indexing of data. </P> <P>Above method might fail when date rolls over from one to other around midnight.</P> Tue, 29 Sep 2020 11:48:21 GMT https://community.splunk.com/t5/Splunk-Search/Pull-Date-from-Filename/m-p/226347#M176229 niketn 2020-09-29T11:48:21Z